Governance, Risk and Compliance (GRC) and Identity and Access Management (IAM) are two separate disciplines with completely different reporting constructions and distinct purpose. Any but, like lots of our favourite issues (milk and cookies, peanut butter and chocolate, Netflix and our couch), after they work collectively, the advantages are higher than the sum of their components.
GRC is business driven; its purpose is to align danger administration efforts to high-level enterprise technique, and infrequently reporting up into the CFO. IAM is extra technical in nature with IAM practitioners usually reporting as much as the CISO. But, whether or not they notice it or not it or not, the 2 teams have a symbiotic relationship. When collaborating and dealing collectively in lock step, safety and danger professionals can do extra collectively than they may alone, specifically: (1) to set the foundations for danger mitigation, extra successfully adjust to laws – GRC territory, and (2) to implement entry rights, provisioning/deprovisioning of customers and automatic approval workflows – IAM territory.
To handle danger successfully, organizations want a crew that may perceive danger, translate regulatory requirements into their enterprise and to finally drive and monitor this course of with controls, paperwork and proof. That’s the place the GRC crew is available in. But, the GRC crew wants the IAM crew to implement the granting/revoking of entry primarily based on person roles and permissions outlined in HR methods, Energetic Listing or LDAP, and approval workflows for utility house owners and managers that have to log off on entry requests. Id Governance instruments may use automation to implement separation of duties (SOD), carry out ongoing entry recertifications and implement distinct entry management and authentication insurance policies for workers and third events.
The IAM crew is targeted on implementation of managing person entry rights however can’t set the executive and safety controls appropriately except they’re aligned to the polices set down by the GRC crew. Actually, compliance reveals up because the main driver for buying IAM software program. We get tons of inquiries from IAM groups dashing to purchase an Identity Governance resolution or Privileged Identity Management resolution as a result of they bought dinged by the auditors. Correct alignment with the GRC crew would go alongside means in the direction of avoiding knee jerk, reactive spending.
Parting recommendation – be sure that your GRC and IAM groups perceive their symbiotic relationship, meet often to replace and alter when modifications laws or firm coverage are coming down the pipe, or when IAM methods are being retooled.
In case your agency has a GRC/IAM success story, we need to hear from you!